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" Using the XKS CNE dataset and a 
DISGRUNTLEDDUCK fingerprint ; we now see at least 
21 TAO boxes with evidence of this intrusion set, most 
of which are associated with projects aimed at Iran 

WMD targets.” - MHS, July 2010 
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The overall classification of this 
presentation is: 
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A suite of software running on a Linux host 

Classically, used for DNI processing- 
selection and survey 

A distributed hierarchy of servers at field 
sites and headquarters 

• Extract and tag metadata & content from traffic 

• Servicing analyst queries and workflows 

Web and programmatic front-ends 
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Let's try a search for suspicious stuff... 

http_activity search, 5-eyes defeat, look for fingerprints: 

ndist /disco very /heurist ic/BHAM/get_with_con tent or http /get /with_content 

While the search runs, some gotchas: 

• You choose where your query is run 

• Content and metadata age-off 

• Burden is on user/auditor to comply with 
USSID-18 or other rules 

• Geolocation based on IP 
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Done ] ^ @ 



Notes : 

• Strange User-Agent 

• Probably MOT ONE 
but definitely 
something non- 
standard 

• Content: maybe a 
HTTP tunnel for some 
weird protocol? 

Reset from local... 

• Should we write a 
Fingerprint’/ 
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Useful for identifying classes of traffic or 
particular targets (for SIGDEV or collection): 



amil/w®b»ail/ymhoo 



browser /eellphona/blaekbarry 



• appid - a contest, highest scoring appid wins 

• fingerprint - many fingerprints per session 

• nnieroplugin - a fingerprint or appid that is 
relatively complex fe.g. extracts and databases 
metadata' 
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Written in language called '’GENESIS' go 
genesis-language): 

(’ 

Jhfctp 1 5 Mikip©dia 3 





’ , 2 . 0 ) = 

5 wikiM@dia N | ; 



f iiagdrpriiafe ( 1 dM/m®lM®i©g/Malwar@D©ffi®ias 1 ) = 

dnshosm 1 erof reex . inf © 1 or ' datayakoz . inf o 
or ' erogirlx . info 1 or ' pornero . info ' or . . 

• If a fingerprint contains a schema definition, a 

search form automatically appears in the 
XKEYSCORE GUI 

• Power users can drop in to C++ to express 
themselves 
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Many different searches 

• Base search is Full Log phi 

• Depending on traffic type, will generate searchable 
results for (example): 



HTTP Activity 


Network 

Information 


GEO Info 


Extracted Files 


Email 

Addresses 


Registry 


Logins and 
Passwords 


Document 

Metadata 


Machine Info 



• workflow - a user query that is run 
automatically usually every 24 hours 
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• Not all sites run latest XKEYSCQRE 
software or fingerprints 



• fingerprint submission: 

• XKEYSCORE team weighs mission-worthiness of user 
fingerprints vs computational cost 



• Content and metadata ageoff 
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Lots of endpoint data flows into XKS 



TAO (no ECIs), GCHQ (almost all) 



• Other limited flows include SIGIN" 
l;: orensics Center, TAO STA" 

• XKEYSCORE works well for endpoint data 



• Sometimes the paradigm breaks e.g. 
collected browser history file 
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• Payload types: 

dirwalk extracted file system 
survey, network conf ig, captured 
credentials , registry query, key 
logiger, etc. 

• Labeled dnt_payioad in appid/fingerprint 

ontology 



o Let's look at some DANDERSPRITZ 
data... 
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o Recent Developments 



• Upgrade of XKEYSCQRE CIE 

• Keyloggers: keylogger/perfect/extension 

• PCAP Reingestion 



I Router Redirection 
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itnodology 



(refer to Counter CNE Resources slide...) 

• Hypothesis/research-driven 

• "Could South Korean CNE be using similar selectors to 
FVEY CNE?" 

• ' What keywords could be used to find keyloggers 

example: keylog OR keystroke 

• Bogus or Unusual Traffic 

• HTTP GET with content (example in this presentation) 

• HTTP POS “ at odd hours (from Russia 0200-0359Z) 

• Funky user agents 

• Known-Host or User driven (e.g. drop sites’; 

• XKEY3CGRE is GOOD at these kinds of things 
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0 Registry searches .g SIMBAR^ 

1 used Active/Passive search 



• common selectors 

• document hashes 




o Known Processes malicious 
executables or code) 

... Let's enhance the process list appid 

• rnap-reduce within CNE cluster using 
GENESIS calls 
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esn t Do, , 



' € 



° ... at 3 'well, automatically, anyways; 




• Paired traffic heuristic-based approach 

• HTTP[S] imbalance )e.g. GET without 
response) 

• IP/DNS mismatch* 



® ... on an automatic basis 



• Network or host characterization 

• Changes in IP/DNS mapping over time 

• Changes over time in malware com ms 
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Res o u r c e 
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Ho w to Discover Intrusions f using XKEYSCORE] by 
and (paper) 



• MHS INDEX - Foreign CilE Discovery Page 

https://wiki.itd.nisa/wiki/Foreiqn CIME Discovery 

• CSEC and GCHQ - DONUT (unknown protocols): 

https://tiso.siaint.cse/snipehunt/index.php/DOMUT 

• GCHQ Discovery Posted some Research of Detecting Man-on-the-Side 
Attacks: 

h tt ps : // ti so . s iq i n t . cse/sn i pe h u nt/i n d ex . p h p/MQ~ 15 
GCQH Disco Team posts POC s for different Intrusions and some Details: 

https://wiki.acha/index.php/Discoverv 

• The GCHQ DISCO team also posts Discovery Theories they run once a 
week: 

Si tt ps : //wiki .gcha/index.php/Di sco ve rv Aftern oo ns 



• XKEYSCORE Fingerprints 
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Using ' UO-obtained Iranian implant encryption keys, inli 
decrypt using XKS microplugin - IRGC-Qb keylogger data! 



£i!i? Edit View History EwkmafUs Tools Help 
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uf 70 > jj§ 



DatcEimo Case NoEtUion 

2011-03-28 10.51:28 IRS1014 




ll an) 




From Pot To Pori Protocc Length 
United Slates; 42325 SO top 3203 



Session 



Header (3) Attachments <2) Meta (9) 



AUTO 



Quick Clicks 

Session 

1 =J ^Attachments 
td ^ unknown 
Q T text 

■? keylogger.txt 

"J 1 un known_l 931 .x-www-l 




Enter text to search 



Download this from XK EYSCORE 





keviogaer.txt formatter 


AUTO t 




Virus scan results 


Clean 



Using TXT formatter 



One-Click Sear ches 



unread) Yahoo I Mail, mehreb.raisl - Mozilla Firetox p- => 

C 3 [] C 3 [] E3 E3 C ] [] ES C 1 El El El El EJ ES [I EJ Cl El ES E] ES El U E3 C] C3 I] U I] 13 t3 13 I] [3 E3 



t=i 

EJ 



Find fingerprint 

nto c/nto cg/m nlwar e/a. m u I et; 
bOtnet/AMULETSTELLAR/ki « Tire' page at lit tp ; / /u3 . mg4 .mail , yahoo . com says : >> 

F=ind traffic on 

78 .38.110.103 
174,132,180 ,34 
Finri app lira t inn 

m«.i l/w tb mai l/ynho o 
Find proxy hash 
cabodars 

rand opposite side of session [Backspace] raanra [space] [fiacksp 
78^^^H:4Z325 
174 




'F r; (0 uraire^acJ) Ydhoo I Mail, mehrnl 




[] 

< < (1 Li n tr fe A bl J Yrf ll oO l Mfi il r - Mcj v. L 1 1 rf Fi r<‘f 

E 3 E 3 [ ] [ B-a. ckopdce] sa iBdCkspece] [Eack 2 pa ce] [ ] [Right Alt] Space] . * . [Eack: 

<■ c Y a lio o l Me - 3 3enger > > 



ok! 11a Ft refox >> 



[] E3 [] [3 E 3 [ ] c:l 00 [Down] 
[] [] 525 0024 30 9 
T 'I ni | 






This system Is audited for HISSED 10 and Human Rights Act com pliancy 

CLASSIFICATION: TOP SECRCT//COM INT//REL TO USA, AUS, CAM. tiih. EJZL 



LJone 



xK5-centrai.corp nse.lc gov: 34 4 J 
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ci ct 



MHS Index ' earn 





(g>nsa. ic.gov 



CES/TRANGRESSION 

(5)nsa. ic.gov 
@nsa.ic.gov 

NSA Countering fireign Intelligence 



ynsa.ic.gov 







NTOC ?? 

XKEYSCORE 




: xks-cne@r1.r.nsa 
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